FreeRADIUS and OpenSSL Linkage
jdennis at redhat.com
Fri Jan 9 18:34:11 CET 2009
Peter Nixon wrote:
> Sounds fine to me. Maybe we should also in future invesitgate using axtls in
> place of openssl. Not only is it an order of magnitude smaller which is
> great for embedded systems, it is also BSD licensed.
FWIW in Fedora we're trying to consolodate all of the crypto usage in
our distribution so that it uses NSS (Network Security Services),
http://www.mozilla.org/projects/security/pki/nss. We're doing this by
incrementally porting applications using OpenSSL or GNU TLS to NSS.
We're doing this for a few reasons, to reduce the attack surface by
having only a single crypto library which is well vetted, because NSS is
FIPS-140 certified (a government requirement), because NSS has a lot
more features (e.g. smart cards, integration with an entire PKI
ecosystem (e.g. the open source certificate management system DogTag,
http://pki.fedoraproject.org/wiki/PKI_Main_Page), and to eliminate the
obnoxious licensing issues with OpenSSL).
FreeRADIUS is on our list of applications to be ported to NSS. At the
moment the only thing holding that back is the lack of time (I'm the
mostly likely person to perform the port and I don't have any space
cycles at the moment). If anybody else has some extra cycles to help
port FreeRADIUS to NSS please let me know, your help would be greatly
Alan has told me in the past he is in favor of having a NSS port.
John Dennis <jdennis at redhat.com>
More information about the Freeradius-Devel